This is a follow-up to a post I did in late 2014, CF911: ‘Help! I’ve updated the JVM which ColdFusion uses, and now it won’t start!’ . In that post, I listed about a dozen common problems that befall people who try to update the JVM that CF is using.

In this post, I want to elaborate on one more common mistake. Well, mistake may be too strong word. It’s about a default option when you run a Java JDK installer (see the other post for more on JDK vs JRE options).

In short, I make the case here for why you should NOT let the JDK installer implement its “public jre” option.

As I concluded in that earlier blog post, do beware that when you run the Java JDK installer, it will have a few options, one of which is the “public jre”. You should generally choose NOT to install that, both for security reasons, AND to prevent Java from later prompting you or someone else to let it update itself, which then could break CF. Let me explain.

Testing for whether this is already another public JRE

First, let’s just do a quick check.

If you go to the command prompt on your machine, and run the command “java” (no arguments, just the word java by itself), what do you get? If it’s an error that the command can’t be found, then I’d argue that’s a good thing. It means that there is no “public JRE” on your machine…no version of Java that’s been installed in such a way that it can be used by any program on the machine. That’s what “public” means here (not that it’s public to anyone OFF your server).

Why is it better not to have a public JRE?

So why is it better to NOT allow java to be run on the machine this way? For security reasons, primarily. Because then if somehow some bad guy DOES get onto your machine, or more likely just leverages some vulnerability and gets some sort of code ONTO the machine, they would be able to leverage Java without needing to know where it may be. It’s “public”.

Read the full article here.

Leave a Reply